Identity-Aware Proxy Setup
Google Cloud Platform (GCP) provides the Identity-Aware Proxy (IAP) service to manage user access to web applications and resources hosted on Google Cloud.
To set up IAP:
- Create a project in GCP.
- Create an HTTPS Load Balancer.
- From Load Balancing, select From internet to my VMs or serverless services and Global HTTP(S) Load Balancer (classic).
- From Backend Configuration, create a Backend Service.
- Choose the corresponding Backend Type. If DataChat is deployed on Google Cloud, choose the appropriate backend type for the host(GCE, App Engine, etc.).
- Set the protocol to HTTPS.
- Save the backend for backend configuration. If using Internet Backend Endpoint Group:
- Under Host and Path Rules select Advanced mode, then edit the host and path rule to point to the created backend.
- Open the Add-on Action section, and set the Host Rewrite to the URL where the endpoint points to.
- Under Frontend Configuration, set up HTTP and HTTPS for the same IP address, then point a domain to this IP. You need a certificate for the HTTPS configuration. You can use an existing certificate from your domain, generate a new one, or use a Google-managed one.
- Save the load balancer.
- Enable IAP for the backend service you created before.
- Once enabled, click the three dots, then click Get JWT Audience Code.
- You can provide access to users by selecting Backend, then clicking Add Principal. Enter the email addresses of the users you would like to add, then select All roles > Cloud IAP > IAP-secured Web App User.
Google Drive Authentication Setup
To setup Google Drive Authentication:
- Create a project in your organization.
- On the Google Cloud Platform, select your project.
- From the menu, select APIs & Services > Library.
- Select Google Drive API, then click Enable.
- From the menu, select APIs & Services > OAuth Consent Screen.
- Select the User Type of Internal. While this does restrict loading to Google Drives within your organization, it avoids lengthy verification processes.
- Fill in the required fields for this consent screen. Be sure to click Add Domain then enter your bare domain. (e.g. datachat.ai)
- Click Save and Continue then Add or Remove Scopes.
- In the filter, enter "drive.readonly", and select https://www.googleapis.com/auth/drive.readonly.
- Click the checkbox of this entry, then click Update followed by Save and Continue.
- From the dashboard select Credentials.
- Click Create Credentials, then click OAuth Client ID.
- Select Web application under Application type.
- Add one Authorized Redirect URI.
- This should be the URL you access DataChat with + "/web/cloudauth/".
- Click Save, then from the popup, select Download JSON.
- If you need this file again, you can select the credentials you created from the Credentials menu, and Download JSON.
- Rename this file to "gauth_client_secrets.json".
- Create the folder "cloudauth" inside your DataChat File System, specified by the "$DATACHAT_FILE_SYS" environment variable.
- Move or copy gauth_client_secrets.json to the cloudauth folder.
Add DataChat IP for Read-Only Databases
If you are working from DataChat's cloud platform (apps.datachat.ai), connecting to a read-only database that's behind a firewall might require you to add the following IP addresses to your firewall's allowlist to allow DataChat to access your database:
Work with your organization's IT team to configure your firewall's allowlist.